Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove server id and expiry #99

Merged
merged 4 commits into from
Nov 29, 2018
Merged

Remove server id and expiry #99

merged 4 commits into from
Nov 29, 2018

Conversation

zanebeckwith
Copy link
Collaborator

Following this issue and this issue in xtt-spec, this series removes the server ID and expiry fields from the server certificate, and replaces them with a single "reserved" field of the same total size (to maintain backward-compatibility).

As part of this, this series also updates the ASN.1 key-wrapping to create x509 certificates that don't expire (by using the earliest-possible notBeforeDate and the recommended notAfterDate).

The tool still allows the user to specify a file with 24 bytes to insert in the "reserved" field of the server certificate. However, the default is to use a value that corresponds to Xaptum's production server ID and a non-expiring expiry (December 31 in the year 9999). This way, any existing clients that still check server ID and expiry will continue to accept the new certificates.

closes #91 and closes #79

@zanebeckwith zanebeckwith self-assigned this Nov 27, 2018
@zanebeckwith
util: Include the correct header for generate_server_certificate.
b8c62a8 
Otherwise, the compiler isn't checking the signatures between the
implementation and the header.
drbild
drbild approved these changes Nov 28, 2018
View reviewed changes
Copy link
Contributor

@drbild drbild left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

src/util/generate_server_certificate.c Outdated Show resolved Hide resolved
include/xtt/return_codes.h Outdated Show resolved Hide resolved
@zanebeckwith
Convert server-id and expiry to "reserved" in server cert.
c9d2920 
This is following the recent change to the XTT spec.
@zanebeckwith
x509: Use unexpiring validity dates when wrapping in x509
358a15d 
To allow for the new validity dates, we had to switch from UTCTime to
GeneralizedTime.
According to the x509 RFC, the validity period for a certificate that
shouldn't expire SHOULD be 99991231235959Z.
Similarly, the earliest-possible GeneralizedTime is 00000101000000Z.
@zanebeckwith
return_codes: Explicitly number the codes in the enum.
2d493d0
@zanebeckwith zanebeckwith merged commit 26e4c0c into xaptum:master Nov 29, 2018
@zanebeckwith zanebeckwith deleted the no-id-expiry branch November 29, 2018 15:28
@zanebeckwith zanebeckwith mentioned this pull request Nov 29, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kathrynfejer kathrynfejer kathrynfejer left review comments

@drbild drbild drbild approved these changes

Assignees

@zanebeckwith zanebeckwith

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove server ID from server certificates Disable validity periods in certificates
3 participants
@zanebeckwith @drbild @kathrynfejer